Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H captures the AT:P wildcard-config precondition that CVSS 3.1 cannot express separately; PR:L reflects required sender authentication; no confidentiality or availability impact applies.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.
AnalysisAI
Privilege escalation in OpenClaw before 2026.4.25 allows authenticated low-privileged users to inherit wildcard ownerAllowFrom authorization state across channel boundaries, enabling execution of owner-level commands outside their intended channel scope on both internal and webchat command paths. The flaw (CWE-863) produces high integrity impact (VI:H per CVSS 4.0) without confidentiality or availability consequences, as the attacker gains unauthorized administrative command execution rather than data access. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 6.0 reflects meaningful but condition-dependent risk.
Technical ContextAI
OpenClaw is a chat and communications platform (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) that enforces channel-scoped command authorization through an ownerAllowFrom configuration mechanism, which governs which senders may execute owner-privileged commands within a given channel. The root cause is CWE-863 (Incorrect Authorization): the platform fails to properly bound wildcard (*) ownerAllowFrom state to its originating channel, causing that elevated authorization to propagate across channel boundaries during command evaluation. Both the 'internal' and 'webchat' authentication paths share this flawed authorization logic, indicating the defect resides in a common authorization layer rather than a single interface. The CVSS 4.0 AT:P (Attack Target: Partial) metric directly reflects this: exploitation depends on the presence of a wildcard ownerAllowFrom entry in the deployment - absent that configuration, the inheritance mechanism is not triggered.
RemediationAI
The primary fix is to upgrade OpenClaw to version 2026.4.25 or later, which resolves the improper wildcard ownerAllowFrom inheritance in the internal and webchat command authentication paths per the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-4hpg-mp64-x7xq. For deployments that cannot immediately patch, the most effective compensating control is to audit all channel ownerAllowFrom configurations and replace any wildcard (*) values with explicit, channel-scoped allow lists of authorized senders; this directly eliminates the AT:P precondition and removes the attack surface without requiring a software update. Note that this configuration change requires documenting all channels where owner-level commands are legitimately needed before narrowing the wildcard, as over-restriction may break intended administrative workflows. Additional context on the vulnerability is available at https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-ownerallowfrom-wildcard-inheritance-in-internal-webchat-commands.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37156
GHSA-4hpg-mp64-x7xq